Tyler Julian

A few things that'd be nice to see in a verbose logging mode: 1. Any HTTP/DB calls that are made and their details. So URLs, headers, request/response body. 2. Printing...

> That way you can get the service by name, then lookup its main PID from properties, then use your method with the PID to get the path, and finally...

Got it, thanks. Do you happen to know if it's only available after certain versions of systemd? I tried using `GetUnitProperty` to look it up (and could find other properties...

Ah, I got it - needed to use `GetServiceProperty` not `GetUnitProperty`, since `MainPID` is defined on the `org.freedesktop.systemd1.Service` interface, not `org.freedesktop.systemd1.Unit`. Working through a final compatibility issue that seems to...

Seems like the call to `GetUnitByPID()` on 18.04 is returning the object path to the root slice configuration unit `-.slice` (http://manpages.ubuntu.com/manpages/bionic/man5/systemd.slice.5.html), looking into this more

Good point on taking TTL into account. IMHO we should have a sane upper bound on the backoff of like a few minutes, in addition to the configured TTL.

What about sorting by the registration entry's `created_at` time from oldest to newest? This way, entries created later would not override the current default.

IMHO the primary reason that aws IID and gcp IIT attestors disable re-attestation is because there is no access control on the IID/IIT (since they're available on the host's network...

> Should these just be different trust domains? It's a possibility; however, if the two orchestrators share the same spire clusters, they are bound to the same trust domain. The...

I like that idea. Here's some quick thoughts on what that could look like: ``` message RegistrationRequest { // The authenticated identity of the actor making a request. // //...